macOS 11.4 breaks HookCase

Question

macOS 11.4 breaks HookCase

steven-michaud opened this issue 3 years ago · comments

HookCase.kext loads correctly. But I got a kernel panic when I tried to load the "events" example hook library into Safari. There was an error message displayed at the top of the kernel panic report:

    panic(cpu 2 caller 0xffffff8006eaa6dd): "unexpected mode: 0"@/System/Volumes/Data/SWE/macOS/BuildRoots/e90674e518/Library/Caches/com.apple.xbs/Sources/xnu/xnu-7195.121.3/osfmk/kern/priority.c:929

This is presumably #27 over again. I'll be working on this. In the meantime don't use HookCase on macOS 11.4.

Steven Michaud · Answer 1 · Tue May 25 2021 03:28:08 GMT+0800 (China Standard Time)

New security updates for macOS 10.15.7 and 10.14.6 also came out at the same time as macOS 11.4. As with #27, HookCase is not effected by these.

ni-max · Answer 2 · Tue May 25 2021 13:47:47 GMT+0800 (China Standard Time)

For the record:

Apple fixed 5 Kernel bugs in 11.4

Kernel
Available for: macOS Big Sur
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved validation.
CVE-2021-30740: Linus Henze (pinauten.de)

Kernel
Available for: macOS Big Sur
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-30704: an anonymous researcher

Kernel
Available for: macOS Big Sur
Impact: Processing a maliciously crafted message may lead to a denial of service
Description: A logic issue was addressed with improved state management.
CVE-2021-30715: The UK's National Cyber Security Centre (NCSC)

Kernel
Available for: macOS Big Sur
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved size validation.
CVE-2021-30736: Ian Beer of Google Project Zero

Kernel
Available for: macOS Big Sur
Impact: A local attacker may be able to elevate their privileges
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-30739: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab

via: https://support.apple.com/en-us/HT212529

Steven Michaud · Answer 3 · Wed May 26 2021 07:31:13 GMT+0800 (China Standard Time)

This is presumably #27 over again.

Yup.

I've found a change in the kernel's struct thread that explains the kernel panics. But I need to continue going through all the kernel structures used directly by HookCase, to see if others haven't also changed. I expect that to take me another day or two.

Steven Michaud · Answer 4 · Thu May 27 2021 05:03:35 GMT+0800 (China Standard Time)

I just released another new version of HookCase to fix this problem.

I hope Apple's behavior with macOS 11.3 and 11.4 isn't a sign of things to come with 11.5 and 11.6. But I can only wait to find out. It's probably a good idea to disable loading HookCase.kext at boot before upgrading to either of these future versions of macOS.

ni-max · Answer 5 · Fri May 28 2021 13:34:19 GMT+0800 (China Standard Time)

I hope Apple's behavior with macOS 11.3 and 11.4 isn't a sign of things to come with 11.5 and 11.6

Could you please elaborate on this, What do you think is coming?

Steven Michaud · Answer 6 · Sat May 29 2021 04:59:52 GMT+0800 (China Standard Time)

I'm afraid that macOS 11.5 and 11.6 will contain further changes to kernel structures that HookCase accesses directly. This will always cause some kind of breakage. It may be that it just stops working. Or (more likely) there will be kernel panics when you load a hook library, or even HookCase.kext itself.

In the past these kinds of changes happened mostly (though not always) in new major releases -- for example of macOS 11 or 10.15 or 10.14. It's true that 11.3 and 11.4 both contained significant kernel changes. So maybe that explains it. Or maybe Apple is now changing its behavior, and in the future important kernel structures will routinely be changed in "point" releases (like 11.3 and 11.4), as distinct from "point point" releases (like 11.2.3 and 11.3.1). Only time will tell.

In the meantime I strongly suggest you disable loading at boot before upgrading to a "point" release (like 11.5 or 11.6). If HookCase.kext triggers a kernel panic as it loads, your system may become unbootable. (Though you'd still probably be able to avoid the problem by pressing Cmd-R on restart, and booting into the recovery partition.)

ni-max · Answer 7 · Sat May 29 2021 23:09:07 GMT+0800 (China Standard Time)

Thanks for the information. 🙏🏼

In the meantime I strongly suggest you disable loading at boot before upgrading to a "point" release (like 11.5 or 11.6). If HookCase.kext triggers a kernel panic as it loads, your system may become unbootable. (Though you'd still probably be able to avoid the problem by pressing Cmd-R on restart, and booting into the recovery partition.)

The way I load HookCase.kext is pretty safe, a wrapper gets loaded as root daemon which:

loads HookCase.kext
disables the daemon
wait for 10 minutes
enables the daemon

So reboot within 10 minutes will disable the extension.

Steven Michaud · Answer 8 · Sun May 30 2021 06:10:05 GMT+0800 (China Standard Time)

Actually, you'll still have trouble if HookCase.kext triggers a kernel panic as it loads. You'll reboot continuously until you somehow stop the cycle. (Cmd-R would probably work.)

What do you mean by "disables the daemon" and "enables the daemon"?

Edit: I misunderstood what you said. It's the daemon that gets loaded at boot. Still, though, it won't be able to disable itself if HookCase.kext triggers a kernel panic as it's loaded.

ni-max · Answer 9 · Sun May 30 2021 10:52:46 GMT+0800 (China Standard Time)

Oops sorry, I made a mistake explaining the logic, actually the wrapper gets loaded by root daemon and:

disables the daemon
loads HookCase.kext
wait for 5 minutes
enables the daemon

This is the root daemon: /Library/LaunchDaemons/hookcase.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
    </dict>
    <key>Label</key>
    <string>hookcase</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/sbin/HookCase_Wrapper.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

And this is the wrapper: /usr/local/sbin/HookCase_Wrapper.sh

#!/bin/sh
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"

defaults write /var/db/com.apple.xpc.launchd/disabled.plist "hookcase" 1
chmod 644 /var/db/com.apple.xpc.launchd/disabled.plist
defaults write /Library/LaunchDaemons/hookcase.plist Disabled -bool TRUE
chmod 644 /Library/LaunchDaemons/hookcase.plist

kmutil load -p /usr/local/sbin/HookCase.kext

sleep 300

defaults write /var/db/com.apple.xpc.launchd/disabled.plist "hookcase" 0
chmod 644 /var/db/com.apple.xpc.launchd/disabled.plist
defaults delete /Library/LaunchDaemons/hookcase.plist Disabled
chmod 644 /Library/LaunchDaemons/hookcase.plist

Let me know what you think.

Steven Michaud · Answer 10 · Mon May 31 2021 05:42:31 GMT+0800 (China Standard Time)

Let me know what you think.

It looks fine to me. You've thought it all out very carefully.